General
-
Target
94cf0811c042811a570505a14af536a5.exe
-
Size
596KB
-
Sample
210211-8wd7dd262x
-
MD5
94cf0811c042811a570505a14af536a5
-
SHA1
80373791f6df8e24d072308c3f56d11438741aaf
-
SHA256
36f82bc3bcd30f18bb210cd10881cfe13e9a22e06e26930828bb6c8a951bfafe
-
SHA512
25912f1a83eb62acfd37f829244da464fbc3736383d1022a9fdcf7a61bfce8b11c93f2226f41e497425391a5d65f04691841cc5cd885189fa3c6abb3659f6fe6
Static task
static1
Behavioral task
behavioral1
Sample
94cf0811c042811a570505a14af536a5.exe
Resource
win7v20201028
Malware Config
Extracted
danabot
1765
3
192.236.192.241:443
134.119.186.199:443
172.93.201.39:443
104.168.156.222:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
Targets
-
-
Target
94cf0811c042811a570505a14af536a5.exe
-
Size
596KB
-
MD5
94cf0811c042811a570505a14af536a5
-
SHA1
80373791f6df8e24d072308c3f56d11438741aaf
-
SHA256
36f82bc3bcd30f18bb210cd10881cfe13e9a22e06e26930828bb6c8a951bfafe
-
SHA512
25912f1a83eb62acfd37f829244da464fbc3736383d1022a9fdcf7a61bfce8b11c93f2226f41e497425391a5d65f04691841cc5cd885189fa3c6abb3659f6fe6
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-